The Busting of LulzSec: Lessons in OpSec

Operational Security (OpSec) is the discipline of denying an adversary information that would be advantageous in their plans against you. Maintaining anonymity is a very effective technique for OpSec, but it’s also one of the hardest to achieve. The longer an anonymous operator is active, the more peripheral information will be exposed. When that peripheral information finally exceeds the threshold necessary for an adversary to correlate it, the protection of anonymity fails.

Domestic Law Enforcement Agencies (LEAs) are even more powerful an adversary than the vaunted “nation state actor” we normally talk about in IT security. This is fundamentally because of two primary advantages that LEAs have that even a foreign government can’t (easily) exploit.

They have lawful access to a HUGE amount of peripheral information. Things like cell phone and ISP records are much easier for a LEA to access than almost any other adversary.

They have lawful leverage against people’s physical and financial well being. This makes it orders of magnitude easier to turn any accomplices against you.

Throwing down the gauntlet against a LEA (or a collection of LEAs) is probably the single most-likely-to-fail action any individual can take. And yet, this is exactly what the LulzSec crew did last year. It’s instructive to examine the eventual OpSec failures once LEAs devoted attention to them.

It only takes one weak link…

The de-facto head of LulzSec was a hacker named Sabu. Sabu religiously used a service called Tor to anonymize his IP address while online. Unfortunately for him, he logged into IRC one time without using Tor. That’s all it took for the FBI to locate and eventually arrest him.

That’s only the start of the story though, because while LulzSec claimed to be a leaderless collective, the FBI was treating them as a criminal conspiracy. When dealing with a conspiracy, the best way to wrap everyone up is to turn a member of the conspiracy into a source and then use his (or her) cooperation to capture everyone involved.

And that’s exactly what the FBI did with Sabu.

Once the FBI (using advantage #1) had tracked down Sabu “in real life”, they used advantage #2 to turn him as a source. It turned out Sabu was the legal guardian of two young kids, and the FBI eventually succeeded in using the threat of separating him from the kids via a stint in federal prison to turn him into a source. Once he was in the bag, they instrumented everything about his online activities and set him in pursuit of unmasking the other members of LulzSec.

Sabu isn’t the end of the OpSec story, he was just the beginning

Taking down the “head” of the gang would be the culmination of the plot if this were a Hollywood movie, but the real world doesn’t work that way. This is where the real lessons in OpSec start to surface. We now shift our focus from Sabu to one of his accomplices – “sup_g”. Sup_g felt comfortable with Sabu and made the mistake of having “loose lips” in IRC chats. During the period that Sabu was turned as a double-agent, he got sup_g to expose personal details such as:

He acknowledged alternate aliases in IRC, allowing the FBI to tie each of his various online personas into a single target profile.

He mentioned prior run ins with the police and even prior prison time.

He mentioned his association with the “Freegan” movement.

Again, the FBI used their legal access to huge amounts of information to sweep through old records of arrests, prison time, and prior (unrelated) surveillance notes. Once they had all that information, they correlated it down to a suspect – Jeremy Hammond in Chicago. All these innocuous conversations with Sabu ended up exposing Hammond, and once the FBI had a suspect, the full LEA machine went into effect.

Inexplicably, Hammond was using a wireless network in his apartment. (When you’re doing something illegal, you probably shouldn’t be literally broadcasting it throughout the neighborhood.) The FBI eventually started watching his wireless activity and internet connection 24×7, as well as having him under physical surveillance. Their detailed tracking of Hammond’s physical activities were combined with Sabu’s reports on when sup_g was online in IRC. Once the correlation was well established, the FBI went to a judge and got a warrant. Game over for Jeremy.

OpSec is a full time job

Most people probably assume that hackers are caught “in the act” so to speak – tracked down by forensics from evidence they leave behind in the hack. But as both these stories illustrate, the ultimate failures of OpSec that cost both these men their freedom came during their “off hours” chat, not during the “operational” phase of a hack.

OpSec is 24×7 – and the more powerful your adversary, the harder it is to remain Anonymous.